Risk Assessment

What is cybersecurity risk assessment?

A cyber security risk assessment is the process of identifying, analyzing, and evaluating risk.

By choosing cyber security controls that are appropriate for the risks your organization faces, you can help ensure that they are implemented. Without a risk assessment to guide your cyber security decisions, you risk wasting time, effort, and money.

It makes little sense to take precautions to protect your organization against occurrences that are unlikely to happen or won't have an impact.

How is a cyber security risk assessment done?

  • A cyber security risk assessment identifies the information assets that could be affected by a cyber-attack (such as hardware, systems, laptops, customer data and intellectual property). It then identifies the risks that could affect those assets.
  • The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and the additional safeguards that would mitigate the impact.
  • An objective analysis of the effectiveness of the current security controls that protect an organization’s assets and a determination of the probability of losses to those assets.

Risk Assessment Methodology

When documenting your risk assessment methodology, iSec refers to one or more of the Risk Standards, and iSec starts with three steps of risk assessment:

  • Planning Phase:

  1. Gather information about the application in scope and its components.
  2. Conduct meetings with the personnel in charge to know the functionality of the application.
  3. Conduct meetings with the business team to know the flow of work regarding this application.
  4. Review Application documents, Data Flow Diagrams, Network Diagrams, latest penetration testing reports, latest vulnerability assessment reports, and business impact analyses (All of these documents or most of them if any document is not available.)
  5. Select the methodology that will be used in the Assessment.

  • Assessment Phase:

  1. The selected methodology will be Qualitative measures according to NIST, PCI, and ISO2700x standards.
  2. Identify the threats that will be applied to the application.
  3. Select the threats that are valid according to the Information Gathering.
  4. Select the vulnerabilities that are related to the threat according to the client environment.
  5. Assign suitable controls in the environment to avoid risk.
  6. Measure the severity of the threats, vulnerabilities, impacts, and applied controls efficiency.
  7. Through the Risk calculating schema in the risk registry, Risk would be identified.
  8. Proposed controls will be selected to Mitigate and decrease the risk rating to be acceptable.

  • Reporting Phase:

  1. Create a Risk registry.
  2. Create a risk report elaborating on all risks.
  3. Risk treatment plan showing a recommended controls establishment plan for mitigation.
  4. Getting feedback and Recommendations from the ADCB security team.
  5. Update the reports as per ADCB recommendations.